Recommended Security Settings


Last modified: December 6, 2019

Overview

Use our recommended security settings to ensure the security of your server.

More:
  • For more information about scripts and server modification software that can help secure your server, read our Additional Security Software documentation.

  • For more information about basic server security, read our Basic Security Concepts documentation.

  • For more information about configuring SSH access, read our How to Secure SSH documentation.

Security and Virus Scans in WHM

The following features scan your server for viruses and security weaknesses. After you identify a potential security threat, these features prompt you with how to resolve each issue.

  • Security Advisor — WHM’s Security Advisor interface (WHM >> Home >> Security Center >> Security Advisor) runs a security scan on your server, and it advises you about how to resolve any security issues that it finds.

  • Background Process Killer — WHM’s Background Process Killer interface (WHM >> Home >> System Health >> Background Process Killer) allows you to select processes that the system will terminate when the upcp script calls the system maintenance script (/scripts/maintenance) every night. After the system terminates a process, it will send you a notification via email.

  • Configure ClamAV Scanner — WHM’s Configure ClamAV Scanner interface (WHM >> Home >> Plugins >> Configure ClamAV Scanner) is an antivirus software toolkit. It searches your server for malicious programs and flags any files that contain security threats.

Use the following checklists as quick references for the security settings that we recommend.

Tweak Settings checklist

We recommend the following settings for WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings):

  • Hide login password from cgi scripts — Enable this setting to allow you to hide the REMOTE_PASSWORD environment variable from scripts that the cpsrvd daemon’s CGI handler executes.

  • Referrer safety check — Enable this setting to only permit cPanel, Webmail, and WHM to execute functions when the browser-provided referrer (port and domain or IP address) exactly matches the destination URL.

    • This helps prevent XSRF attacks but may break integration with other systems, login applications, and billing software.
    • You must use cookies if you enable this setting.
  • Initial default/catch-all forwarder destination — Select Fail to automatically discard un-routable email that your server’s new accounts receive. This setting helps to protect your server from mail attacks.

  • Verify signatures of 3rdparty cPaddons — Enable this setting to verify GPG signatures of all third-party cPAddons. To use this setting, you must enable the Signature validation on assets downloaded from cPanel & WHM mirrors setting.

  • Prevent “nobody” from sending mail — Enable this setting to block email that the nobody user sent to the remote address.

  • Add X-POPBeforeSMTP header for mail sent via POP-before-SMTP — Enable this setting to include a list of POP-before-SMTP senders in the X-POPBeforeSMTP header for outgoing email.

  • Enable SPF on domains for newly created accounts — Enable this setting to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing).

  • Service subdomain override — Disable this setting to prevent automatically-generated service domains when a user creates a cPanel, Webmail, Web Disk, or WHM subdomain.

  • Service Subdomain Creation — Disable this setting to prevent the addition of cPanel, Webmail, Web Disk, and WHM service subdomain DNS entries to new accounts.

  • Cookie IP validation — Disable this setting to allow logins regardless of the user’s IP address.

    Important:

    We strongly recommend that you do not rely on cookie-based IP validation.

Security Center checklist

We recommend the following settings for WHM’s Security Center section (WHM >> Home >> Security Center):

  • Password Strength Configuration — This feature allows you to specify a minimum password strength for accounts that your server hosts. Set this to a value of 50 or greater.

  • PHP open_basedir Tweak — Enable this setting to require users to manually specify the open_basdir setting in their relevant php.ini files if PHP runs as a CGI, SuPHP, or FastCGI process.

    Important:

    We removed this interface in cPanel & WHM version 78. If your system runs EasyApache 4, change this directive in the Editor Mode section of WHM’s MultiPHP INI Editor interface (WHM >> Home >> Software >> MultiPHP INI Editor).

  • Apache mod_userdir Tweak — Enable this setting so users cannot bypass bandwidth limits when they use the Apache mod_userdir redirection to access their site (for example, http://example.com/~username).

    Note:

    We recommend that you exclude the Default Virtual Host from mod_userdir protection. This allows all users to access their sites on your server without affecting other users’ bandwidth.

  • Compiler Access — Disable this setting to disable compiler access for unspecified users. This will help prevent attacks on your server.

  • Manage Wheel Group Users — Remove all users except for root and your main account. This feature allows you to set a list of users who can use the su command in order to become the root user.

  • Shell Fork Bomb Protection — Enable this setting to limit the amount of server resources that users with command line access may use.

    Note:

    If you enable this setting, it may cause resource shortage problems because this setting heavily limits various resources.

  • FTP Server Configuration — Disable Anonymous FTP. This interface allows you to configure your FTP server.

  • Manage Shell Access — Disable shell access for all other users. This interface allows you to select which users will have shell access on your server and whether that shell access is Normal or Jailed.

  • cPHulk Brute Force Protection — Set this value to On. This interface allows you to configure Brute Force Protection on your server.

    Note:

    If you enable this setting, we strongly recommend that you add trusted IP addresses to the White/Black List Management tab so that you do not lock yourself out of your server.

EasyApache configuration checklist

When you configure EasyApache, we strongly recommend that you include the following modules:

  • suphp — This module causes PHP scripts to run as the owner of the script instead of as the nobody user.

  • suhosin — This module is an advanced protection system for PHP installations. For more information, read the Suhosin website.

  • mod_security — This module is an open-source web application firewall. For more information, read our ModSecurity documentation.

EasyApache modules to avoid

We don’t support the following modules and recommend that you do not use them:

  • mod_frontpage — We do not provide or support FrontPage®. Additionally, Microsoft has not released updates or security patches for FrontPage in over a decade.

  • mod_perl — This module grants unlimited control to scripts over the website, which is unsafe in a shared hosting environment.

  • mod_jk — This module runs code as a shared user and presents a security risk.

  • mod_mono — This module runs code as a shared user and presents a security risk.

  • mod_mono2 — This module runs code as a shared user and presents a security risk.

  • Xcache — This module uses shared caching logic and EasyApache disables it by default.

  • EAccelerator — This module uses shared caching logic and EasyApache disables it by default.

  • mod_frontpage — You cannot install FrontPage®. Additionally, Microsoft has not released updates or security patches for FrontPage in over a decade.

Important:
  • We strongly recommend that you avoid any other modules that we mark as End-Of-Life or Deprecated.

  • We strongly recommend that you ensure that your software is up-to-date with its most recent stable versions. For example, the last release of PHP 5.3 was on August 14, 2014 and it has reached end-of-life. Even though PHP may backport security patches for this version, you should not consider it secure and should update it to PHP 5.4 or higher.

For more information, read our PCI Compliance and Software Versions documentation.

Global Configuration checklist

This checklist is for the Global Configuration section of WHM’s Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).

  • Server tokens — Set this setting to Product Only to receive a more concise output than the other settings.

  • File ETag — Set this setting to None to receive a more concise output than the other settings.

Additional Documentation